From c76fb86a7dbccebeecde90597082941221c1a098 Mon Sep 17 00:00:00 2001
From: Alexandre Oliva <lxoliva@fsfla.org>
Date: Thu, 6 Mar 2014 10:07:22 -0300
Subject: [PATCH] Convert chars to len with unsigned buffer

Introduce chars2len to compute a len out of an unsigned char buf[2].
This avoids problems when any of the chars is negative, if char is
signed.
---
 rnetclient.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/rnetclient.c b/rnetclient.c
index 0ce8593..a58b62b 100644
--- a/rnetclient.c
+++ b/rnetclient.c
@@ -31,6 +31,10 @@
 #include "rnet_message.h"
 #include "rnet_encode.h"
 
+static size_t chars2len (unsigned char buf[2]) {
+	return (buf[0] << 8 | buf[1]);
+}
+
 static void * get_creds(char *certfile)
 {
 	static gnutls_certificate_credentials_t cred;
@@ -94,7 +98,7 @@ static int inflateRecord(char *buffer, size_t len, char **out, size_t *olen)
 	zstrm.opaque = Z_NULL;
 	if ((r = inflateInit(&zstrm)) != Z_OK)
 		return -1;
-	*olen = (buffer[3] << 8 | buffer[4]);
+	*olen = chars2len(buffer+3);
 	*out = malloc(*olen);
 	if (!out) {
 		inflateEnd(&zstrm);
@@ -195,7 +199,7 @@ static int rnet_recv(gnutls_session_t session, struct rnet_message **message)
 	buffer = (*message)->buffer;
 	r = gnutls_record_recv(session, buffer, 6);
 	if (buffer[0] == 0x01) {
-		len = (buffer[1] << 8 | buffer[2]);
+		len = chars2len(buffer+1);
 		rnet_message_expand(message, len);
 		buffer = (*message)->buffer + 6;
 		r = gnutls_record_recv(session, buffer, len);
@@ -207,7 +211,7 @@ static int rnet_recv(gnutls_session_t session, struct rnet_message **message)
 		(*message)->len = olen;
 		free(out);
 	} else {
-		len = (buffer[1] << 8 | buffer[2]);
+		len = chars2len(buffer+1);
 		rnet_message_expand(message, len - 1);
 		buffer = (*message)->buffer + 6;
 		r = gnutls_record_recv(session, buffer, len - 1);
-- 
2.20.1